Identifying the Different Types of Login Issues on Mac Systems

There may come a time, either during the initial setup, or after some mysterious environment change that an account may fail to let the user in. After all, AD environments are like ice cream – they come in all kinds of flavors… some even have sprinkles on top.

99% of the time, login failures occur because of configuration error.

Here is a list of the most common types of login issues, in order of easiest to identify and diagnose:

The first and most important step is to determine EXACTLY what the user sees when the login fails:

== Unreachable Network Home Folder ==

If an error prompt is shown, then it is very likely that a network home folder is being used and the Mac system is unable to connect to it:

When this happens:

Check that the network home path is correct and entered with a fully qualified domain name.

An easy-to-miss error is if extra whitespaces have been entered into the path – scroll to the end of the line and make sure there are no extra spaces inserted at the end.

Use the following command to check what path has been configured for the user:adquery user -h ad_username

A good test for verifying network home accessibility:- a. Login to the Mac with a local account
– b. Use the Finder > Go > Connect to Server option to mount the share as a regular network folder.
– c. Enter the AD account’s credentials when prompted
– d. Check that the user can both read and write to the share from the Mac.

== Unreachable Local Home Folder ==

If the login hangs with a spinning icon in the login box, then it is likely that a local home folder is being used, and there is a UID mismatch or that the local path has been configured incorrectly:

When this happens:

Check that the home path has been setup correctly, the same adquery command for checking home paths from Step 1 should return the following format for local home folders:

/Users/ad_username

If the path is correct, check that the UID of the home folder matches up with the UID of the AD account. First run:adquery user -u ad_usernameThis will return the UID of the AD account as seen by the Mac.
Then run:ls -ln /Users/This will return a list of home folders under the /Users/ folder along with the UIDs of the users which own those folders. The target home folder UID must match the UID of its corresponding AD account.

Check the length of the computer name. If the computer hostname is greater than 15 characters long, then there could be a Pre-win2k name conflict in AD.

Unbind the Mac from the domain

Rename the Mac to a name with 15 characters or less

Rebind the Mac under the new hostname.

Open /etc/centrifydc/centrifydc.conf and make sure the user is not being blocked by one of the PAM filtering configurations:pam.allow.users
pam.allow.groups
pam.deny.users
pam.deny.groups

Try flushing and rebuilding the AD cache for that user using the following steps:- a. Login to the Mac as Local Admin and open the Terminal
– b. Run the command:adinfo- c. Make sure that the CentrifyDC mode is: Connected
– d. Flush the AD cache and then do a Terminal login with the affected AD user:sudo adflush
login ad_username- e. If the Terminal login works, then user should now also be able login via the regular login screen.

(For offline login failures)

Check if the account is configured with a network home directory – an off-network Mac will not be able to connect to home folder that’s outside of the Mac… and thus the user with a network home folder will not be able to login when offline.

Check that the cache is not being encrypted:
Open /etc/centrifydc/centrifydc.conf and check that the following parameter is set to false:adclient.cache.encrypt: falseAs noted in the parameter description:”If you enable this feature the cache will be flushed each time adclient starts up.”So if the cache is being flushed at every restart, there is no way for the machine to get the user credentials back from AD if the machine is offline.

(For licensed users only)If the Mac is joined in Zone Mode, check that the AD account has been provisioned into the Zone and is authorised for login.To verify whether the user has been provisioned correctly, either check back to the Centrify documentation, or login to the Customer Support Portal KB archive and search for the article:

KB-3038: How to add an AD user into a Centrify Zone.

=== End of the line ===

If you’ve reached here then all hope is lost.

Just kidding – download the Mac Diagnostic Tool and use the [ Save Basic Info… ] button to generate a Basic_Log_Pack.zip.Keep this pack handy and depending on the version of Centrify you have, get in touch with us and we’ll see where we can go from there:

If you are using Centrify Express:Make a post to our Community Forums and make sure to describe precisely what the users are seeing and what you have done so far.Centrify Community Forums: http://community.centrify.com

If you are using Centrify Standard / Enterprise:Login to the Support Portal to create a new support ticket – same as above; describe precisely what the users are seeing and also submit the Basic_Log_Pack.zip from the Diagnostic Tool so that we can hit the ground running as soon as we receive the ticket.Centrify Support Portal: https://www.centrify.com/support/portal.asp

Centrify CEO Tom Kemp, an industry expert in security and infrastructure software, discusses market and technology issues around the disruption occurring in the Identity and Access Management market due to the cloud, mobile and consumerization of IT trends occurring in today's IT environment.